In a recent blog post (https://thinkingrecords.co.uk/2019/02/14/managing-email-in-office-365/), James Lappin provided a good overview of the direction that Microsoft have gone with retention and disposal in Office 365.
A key point with almost anything to do with SharePoint Online (that differentiates it from on-premise) is that SharePoint Online (and its ‘personal’ end-user service, OneDrive for Business) is just one element of the Office 365 ecosystem. That is, you can no longer really regard SharePoint as a standalone service that can be managed independently of the other services you may or may not decide to use.
- Office 365 Groups (which are an Exchange object, similar to Distribution Lists and Security Groups) all have an associated SharePoint site. O365 Groups are in many way at the ‘heart’ of the Office 365 security/permission model. You cannot create an O365 Group without a SharePoint site.
- Teams in MIcrosoft Teams (yes the duplication of wording is unfortunate) create an Office 365 Group (which in turn creates a SharePoint site). Alternatively, you can create an Office 365 Group (with a SharePoint site) and link that Group to the new Team. So, Teams in Microsoft Teams have their own Team site.
- If you enable the ‘Create Site’ option in the end-user SharePoint portal, and the user selects ‘Team site’, this creates an Office 365 Group also.
- If you allow anyone to create an Office 365 Group, then any new Yammer group creates an Office 365 Groups and – yes, you got it right – a SharePoint.
- Retention policies for Exchange and SharePoint are set as ‘classification policies’ in the Office 365 Security and Compliance admin portal. This, by the way, is also where you set the new Information Security policies that have only recently appeared. They are both a type of label.
It can be quite overwhelming at first, but the key point is that you cannot regard SharePoint as an isolation application any more. However, most IT shops are pretty ‘hardened’ to the idea that the Exchange ‘box’ (the server) and the SharePoint box are managed by different teams, and one challenge in the new Office 365 world may be to convince the Exchange admins that they should be friends with the SharePoint admins AND the records team.
Backing up as a retention option
It is important to understand that IT departments often regarding ‘backing up’ as a form of retention (or ‘archiving’). Your IT department will almost always have a back-up regime for its on-premises servers.
However, you cannot (easily, cost efficiently) back up SharePoint Online or Exchange Online like you could back up your on-premises environments, but there are many vendors in the market who will offer you a solution to this.
Most IT shops consider back ups to be an archive from which they can retrieve content, a kind of alternative records retention regime. This factor may impact on any decisions that may need to be made with retention policies applied to both Exchange Online and SharePoint Online.
The problem with applying retention and disposal policies to email
It almost goes without saying that, while retention policies can be applied to Exchange Online, typically (a) the content is structured (in multiple folders) differently by every person and (b) the content is mixed together so no retention policy can normally apply to all emails in a single folder.
It is why, generally speaking, we ask users to copy emails into SharePoint (or other EDRM) containers or aggregations (document libraries, files), to keep the content in context.
But in most cases the content (the emails) still remains in Exchange too.
Challenges when applying retention and disposal actions to emails
There are several challenges for the application of records retention and disposal policies in Exchange/Outlook.
- Do you have a blanket approach to all email, disallowing the deletion of any email for say 7 years?
- Or do you apply a much shorter retention policy to all emails (say 12 months or less)? (Cue – ‘but what if I want to get my email back after 5 years’ from a user with a labyrinthine email folder structure)
- Do you rely on users to copy emails to SharePoint or other EDRM containers where they will be stored in context?
The core problem with email is that it’s personal to each user. While it may be good to be able to apply a retention policy to emails, my sense is that anything that is optional will almost always fail to be taken up.
Having a single retention policy (e.g., 7 years) applied to the email accounts of departed users may be a good option (similar to the same policy applied to the OneDrive accounts of departed users).
Another newish option is to use the new Microsoft Flow options to automatically move emails and/or attachments to SharePoint document libraries.
Every organisation is likely to be different and all options need to be considered, understood and then applied – along with the question: ‘Do we (really) need to back this up’?